Tobias/No-Internet.Group
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8 Commits 1 Branch 0 Tags
73fd60c6210ea154f3ea6ab04adf9c20f500df5a
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
tobias 73fd60c621 Update README.md
2026-03-08 21:11:19 +00:00
README.md
Update README.md
2026-03-08 21:11:19 +00:00

README.md

No-Internet Group

Description

Simple methodology to prevent specified Linux desktop programs having access to the public Internet via iptables

Getting Started

Dependencies

*iptables

*systemd or cron

*sg

Creating the Group

First we will create the controlled access group through which programs will be denied public network access

groupadd no-internet

And add your user to it

usermod -a -G no-internet youruser

You should now see no-internet as a group your user is a member of

groups youruser

Your user will need to be a member of the group as we will run the programs through sg

Creating the Systemd Service

Next we will create a systemd service which uses iptables to drop outbound connections made by the "no-internet" group

touch /etc/systemd/system/no-internet.service
nano /etc/systemd/system/no-internet.service

Enter the following within the service file then write and quit

[Unit]
Description=blocks network access for the group "no-internet"

[Service]
ExecStart=iptables -I OUTPUT -m owner --gid-owner "no-internet" -j DROP

[Install]
WantedBy=multi-user.target

Breakdown of iptables command:

*iptables is an administration tool for IPv4/IPv6 packet filtering

*the -I OUTPUT flag specifies the rule is responsible for packets leaving the host

*the -m owner flag allows packet filtering based upon the owner of the process

*the --gid-owner "no-internet" flag specifies for the rule to match processes created by the group 'no-internet'

*the -j DROP flag specifies the action to take, in this case dropping the packetnn

Next we will reload our services, then enable no-internet so it persistently starts at boot

systemctl daemon-reload
systemctl enable no-internet.service
systemctl start no-internet.service

Note: a similar effect could be achived via crontab by making an entry along the lines of

@reboot  root  iptables -I OUTPUT 1 -m owner --gid-owner "no-internet" -j DROP

Modifying .desktop entries

Limitations

As iptables operates at layer 3 programs ran through this sandboxed group will still be able to reach devices within the same broadcast domain

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 238 KiB